Create a model for security.txt

Question

blink1073 opened this issue 3 years ago · comments

We should have a standard method for handling security.txt files.

Note that the one used by our main website is from the notebook project. Should the encryption file be generated per project?

M Bussonnier · Answer 1 · Mon Aug 30 2021 22:39:12 GMT+0800 (China Standard Time)

O don't think we need a per project encryption as vuln can anyway be across projects.

On Mon, Aug 30, 2021, 04:31 Steven Silvester ***@***.***> wrote: cf jupyter-server/jupyter_server#249 <jupyter-server/jupyter_server#249> We should have a standard method for handling security.txt <https://en.wikipedia.org/wiki/Security.txt> files. Note that the one used by our main website <https://github.com/jupyter/jupyter.github.io/blob/b954bd1f39b449991c6e4df559964019878c5e74/.well-known/security.txt> is from the notebook project. Should the encryption file be generated per project? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#3>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACR5T4A4Q5EJXOVW7CTSYLT7NTX7ANCNFSM5DBVQV5Q> .

Rick Wagner · Answer 2 · Tue Aug 31 2021 23:30:15 GMT+0800 (China Standard Time)

I agree, we should limit the number of encryption keys, but have a simple policy on how to manage them.

I submitted a minimal SECURITY.md for JupyterHub. Something like this could be part of a repository template.